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Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico.org.uk 
Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 
email the Direct Marketing Code team. 


Privacy statement 


For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (eg a member of the 
public). All responses from organisations and individuals acting in a 
professional capacity (eg sole traders, academics etc) will be published 
but any personal data will be removed before publication (including 
email addresses and telephone numbers). 


For more information about what we do with personal data please see 
our privacy notice 


Q1 Is the draft code clear and easy to understand? 


Yes 
x! No 


If no please explain why and how we could improve this: 


Whilst the code is generally clear and easy to understand, there are some areas that 
would benefit from further clarification: 


We welcome clarification from the ICO that invitations to renewal insurance policies are 
not considered direct marketing. However, it is unclear what the trigger point would be 
for ‘encouraging’ an individual to renew; an example would be beneficial. 


We acknowledge and appreciate the clarity given between a service message and direct 
marketing and were also pleased to see the addition of the reference to ‘Regulatory 
Communications’. We feel that this new inclusion along with the requirements being 
imposed on firms by the FCA in relation to ensuring products meet identified customer 
demands and needs and the potential outcomes of the Pricing Practices consultation; 
mean that we will be able to inform customers about alternative/better products or 
services at renewal - the key will be what and how the information is provided. There are 
clear expectations set out in the Code of what may be considered acceptable in these 
communications. 


However, the ICO should carefully consider where regulatory communications could 
potentially be deemed to be considered as direct marketing. This could lead to customers 
who have opted out of direct marketing being disadvantaged, as Organisations would be 
unable to make them aware of potentially better products or services. This directly 
conflicts the suggested requirement on page 7, point 1.24 of the FCA’s recent GI market 
study for, ‘firms to engage with customers to give them information about alternative 
deals and identify those who may need help in moving to better priced products with 
equivalent cover.’ 


Q2 Does the draft code contain the right level of detail? (When 
answering please remember that the code does not seek to 
duplicate all our existing data protection and e-privacy guidance) 


Yes 
X No 


If no please explain what changes or improvements you would like to 
see? 


We welcome examples provided to support the guidance. However, some of the examples 
are confusing and could be improved: 


~Page 23: The example in Scenario B provided is not useful, as the example ‘direct 
marketing’ message appears to relate directly to patient care and should be a service 
message. People who are higher risk will need flu jabs and need to be reminded as such. 
A more appropriate and clearer example is required. ‘GP sends the following text message 
to a patient: ‘Our flu clinic is now open. If you would like a flu vaccination, please call the 
surgery on 12345678 to make an appointment.’ This is more likely to be considered to be 
direct marketing because it does not relate to the patient’s specific care but rather to a 
general service that is available.’ 


~Page 39: The example is confusing as to when direct marketing could be justified under 
the basis that it is necessary to perform a contract. The example outlines a scenario 
where contract would be the basis, but then advises consent is still required. ‘There may 
be occasions when making direct marketing a condition of service is necessary for that 
service. For example, a retail loyalty scheme that is operated purely for the purposes of 
sending people marketing offers, is likely to be able to show that the direct marketing is 
necessary for that service. But you need to be upfront and clear about this purpose and 
ensure that the consent individuals provide when signing up meets the GDPR standard.’ 


~Page 48: Article 14 Notice: Clarification is required from the ICO as to the extent to 
which Organisations can rely on fair processing notices provided by the company that 
originally collected the data, i.e. if an individual has already been provided with all 
information from the organisation who collected the data within their notice, a new Article 
14 notice should not be required. 


~Page 49: Disproportionate effort - the guidance notes that a fair processing notice does 
not need to be provided if it is disproportionate effort and, ‘If the processing has a minor 
effect on the individual.” The ICO should advise what they consider ‘minor effect’ to mean 
in the context of direct marketing activity and provide a clear example. 


~Page 50: An example of the level of detail the ICO expect to be provided in explaining 
how data will be used for direct marketing purposes will be useful. 


We welcome the due diligence criteria detailed on page 53 as a useful checklist for 
consideration when sourcing data. 


Q3 Does the draft code cover the right issues about direct marketing? 


Yes 
x! No 


If no please outline what additional areas you would like to see 
covered: 


The guidance strongly promotes that Organisations should rely on consent as their legal 
basis to conduct direct marketing. A good practice recommendation noted within the 
guidance is to obtain consent for all direct marketing regardless of whether the Privacy 
and Electronic Communications Regulations requires it; however, the soft opt-in remains 
good law and is a legitimate method to conduct direct marketing, as ratified by ICO’s 


Legitimate Interest guidance. The guidance should respect both legal bases to conduct 
direct marketing equally. 


Q4 Does the draft code address the areas of data protection and e- 


privacy that are having an impact on your organisation’s direct 
marketing practices? 


x! Yes 


No 


If no please outline what additional areas you would like to see covered 


Q5 Is it easy to find information in the draft code? 


xX Yes 


No 


If no, please provide your suggestions on how the structure could be 
improved: 


Q6 Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code 


x! Yes 


No 


If yes, please provide your direct marketing examples : 


One example of potential regulatory conflict is where a new insurance product was 
created which offered customers enhanced insurance coverage, but at the same price. 
This product was not available when customers originally purchased their insurance 
cover. The insurer needs to treat customers fairly by making them aware of the product 
and the customer will benefit from being aware of the product. A letter was sent to all 
customers who held the existing product to make them aware of the new product; 


however, one complaint resulted in a ruling from the ICO that contact was direct 
marketing. This has highlighted that the potential for customers who have opted-out of 
direct marketing to be disadvantaged, and the need for clearer guidance as to when a 
‘regulatory communication’ is acceptable and will not be deemed to be direct marketing. 


Q7 Do you have any other suggestions for the direct marketing code? 


It would be beneficial to link the guidance relating to suppression lists on page 110, and 
erasure requests on page 113, to the guidance around retention on page 41. These topics 
directly impact how decisions are made regarding retention periods as well as 
considerations for what is in scope for erasure requests and should therefore be read 
alongside each other. This will help set expectations for both Organisations and 
customers on how these elements interact. 


There are some sections of the Code, outlined above, which would benefit from further 
clarification to mitigate the risk that consumers may be disadvantaged if they do not 
receive information about alternative products. However, overall, we feel the Code sets 
clear expectations of acceptable practices, enabling firms to inform customers about 
products/services that may suit their needs. 


About you 


Q8 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

Kl On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Direct Line Group 


If other please specify: 


PO 


How did you find out about this survey? 


OQ 
Ne) 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


Pd 


Thank you for taking the time to complete the survey 


Rs PM ea a a Ti el 


